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For the design and implementation of engineering systems, performing model-based analysis can 
disclose potential safety issues at an early stage. The analysis of hybrid system models is in gen¬ 
eral difficult due to the intrinsic complexity of hybrid dynamics. In this paper, a simulation-based 
approach to formal verihcation of hybrid systems is presented. 


1 Introduction 


Hybrid systems exhibit both discrete and continuous dynamics. The system state can flow continuously, 
and can also jump by triggering an event (transition). As an important application in the research of 
hybrid systems, safety verification is concerned with whether a specified set of unsafe states can be 
reached by the system from the initial set. One direct approach is to compute or over-approximate the set 
of all reachable states l|8j[ITl|T3][T6l, and then check the intersection with the unsafe set. The verification 
problem has also been investigated by using the abstraction approach, i.e., to construct a system model 
with a smaller or even finite state space, whose language is equivalent to or includes that of the original 
system ifTSl . Performing analysis of the abstraction is relatively easy, and allows us to verify properties 
of the original system. Various effective methods for system abstraction have been proposed |[2l|^[T0ll. 
Reachable set computation, system abstraction, and some other approaches such as barrier certificate 
construction |[T4il are capable of formally proving the system safety; but formal verification often comes 
at the price of conservatism and limited scalability. 

As complementary verification methods, randomized approaches have been proposed to strategically 
explore the state space with tools such as Rapidly-Exploring Random Trees (RRTs) and Probabilistic 
RoadMaps (PRMs) Em. By simulating trajectories from the initial set, one can falsify the system 
safety, or evaluate probabilistic safety. The randomized approaches are easy to implement because they 
are simulation-based; but usually a large number of trajectories need to be simulated, and no formal 
verification can be achieved. 

It is possible to bridge the simulation-based approach and formal verification d Il2l : with finitely 
many simulations run for the sampled initial states, one can verify the safety of not only the samples 
but also infinitely many candidates in the initial set with mathematically proved guarantee. As in ifT^ . a 
tube surrounding each simulated trajectory is computed, which over-approximates the reachable set for a 
neighborhood of initial states around the simulated one. If the simulated trajectory is safe, any trajectory 
initiated from the neighborhood must be safe, and moreover, must trigger the same event sequence as the 
simulated trajectory does. Such neighborhood is called a robust neighborhood, which has both uniform 
safety and transition properties. If the initial set can be fully covered by the robust neighborhoods of 
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finitely many simulated trajectories, then its transition and safety properties are verified. However, we 
will see in Sectionj^that for pure safety verification problems the applicability of the robust neighborhood 
approach is limited, since the computed robust neighborhood can vanish due to the transition property 
required rather than safe property. 

Motivated by the robust neighborhood approach, we propose an algorithm for safe neighborhood 
computation in the present work. As its name implies, all trajectories initiated from a safe neighborhood 
are guaranteed safe for certain time horizon, although their event sequences are possibly different from 
that of the simulated trajectory. The safe neighborhood computed for any initial state is essentially a 
superset of the robust neighborhood, and may have non-zero measure even if the robust neighborhood 
vanishes. Consequently, for some initial state that cannot be covered by any robust neighborhood, the 
computed safe neighborhood is able to cover it; for some initial set where the coverage following |[T2l 
never reaches 100%, the present approach using safe neighborhoods is able to reach full coverage and 
verify complete safety. 

2 Safe Neighborhood Approach 

2.1 Hybrid Automata Formulation 

A hybrid automaton is a tuple H = {LxX,LqX Xo,D,E, Inv) ||T1. 

The state space is L x A, where L denotes the sets of discrete states (also called locations) and X 
denotes the set of continuous states. The initial set is Lq x Aq C L x A. 

Each location £ G L is associated with an invariant set Inv{f) C A. If the system is at location i, the 
continuous state x ^X must satisfy .r G lnv{l). The system dynamics D maps a pair {£,x) to x, the time 
derivative of x. Let denote the restriction of D to {£} x A. At location £, the system state evolves 
continuously according to until an event (an instantaneous transition) e := {£,£',g,r),e G E occurs. 
The event is guarded by g C Inv{£). Namely, a necessary condition for the occurrence of e is .r G g. 
After the event, the discrete state changes from the source £ to the target E, and the continuous state 
is reset according to the reset map r : lnv{£) —)■ Inv{£'). Let {£,x) denote the system state that triggers 
e = {£,£',g,r). Then the reset state is {E,r{x)). 

A trajectory p{£o,xo) of the hybrid system is the solution of {£,x) initiated from {£o,xo). Clearly, 
p(£o,xo) is piece-wise continuous. At each location £, we write ^^{t,XQ) G Inv{£),tQ < t < t^^^ as the 
solution of X, where is the initial condition in £, and for t^ < t < t^^^ the function 

satisfies the differential equation = D^{^^{t,XQ)). 

Consider the system state that reaches the boundary of the invariant set at the time instant t^^^, i.e., 
^\tlndNu) £ dlnv{£). If there exits T > 0 such that for all Ti G (0, t), + Ti ,Xq) 0 Inv{£), then we 

say the continuous state is evolving outward Inv{£) at the boundary. 

Let dInv{£)oi,t denote part of the boundary dlnv{£) where the continuous state is evolving outward 
lnv{£), denote the set of guards such that the corresponding events all have £ as the source location. 
We assume for all t. 

1. Lor all gi,g 2 G gi,g 2 are disjoint. 

2. An event is forced to occur whenever x G dInv{£)out- Without this assumption, the system state will 
get stuck at dlnv{£)out, since it is not allowed to evolve outside Inv{£). In addition, assume events 
can only be triggered at dInv{£)out- Define fhe active guards := {gCdlnv{£)out\g C G^}. 

3. X = D^{x) admits an unique global solution. 

4. All the reset maps are continuous. 
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2.2 Trajectory Robustness 

We briefly review the algorithm proposed in ifT^ for the computation of robust neighborhood around a 
simulated initial state, which is based on the theory of bisimulation functions f9^]. 

Definition 1. f2l ■ X X X ^ M. be a pseudo-metric on the state space of the dynamical system 

X = D^{x),x £ X. Let ^^(t,XQ) denote the solution of under the initial condition xq. If for any initial 
states Xq and Xq, the function {£,\t ,Xq) j^\t ,Xq)) is non-increasing with respect to time t, then (j)^ is a 
bisimulation function between the system and itself 

Consider a nominal trajectory p{i,x^) as shown in Fig. Q which has been simulated for the time 
horizon of interest, [to, tend]- The first segment of p{£,Xq) is ^{t,XQ)fQ < t < t^^^, where tg = lo is the 
initial time. At the time t^nd’ Pi^Ao) leaves f'by triggering the event = {i,£',gi,ri) , i.e., ^ 

gi. Define the avoided set 

A^-.= U^\j{GlMi), ( 1 ) 

where gi is called the allowed part of the guard gi. We will formally define gi later. Essentially, the 
robust neighborhood is to be computed based on the avoided set A^, so that all trajectories initiated from 
the robust neighborhood will not reach A^ in location £. 

Hence, the unsafe must be included in A^, as well as the undesired part of guards \gi. In this 
particular example shown in Fig. the undesired part of guards G^^^ \gi := giU (gi \gi), where g 2 is 

undesired because it triggers an event e 2 different from the event ei triggered by the nominal trajectory, 

while gi is excluded from A^ since trajectories initiated from the robust neighborhood are allowed to 
reach gi and trigger ei. Because of the monotonicity of (p^, for any time t >tQ and initial state Xq, 

= Vi 4 i 4 )- ( 2 ) 

Therefore, if 4 satisfies 

(l>44,4) < Ya ■= inf inf (3) 


then for all t £ ^^{t,4) 0 

The time horizon above may be too short, since p{£,4) may leave £ later than p{£,Xq) does. 

This time lag problem is handled by the Shrinking procedure (proposed in |[T2ll . and can also be found in 
Algorithm]^: defined a preliminary robust neighborhood B(xq, 7^) := {(j)^{xQ,4) < 7a}, and then shrinks 
B{4,Ya) to a proper size B(xq,y) as the robust neighborhood. As a result, for some time lag T/ag that 
does not exceed the specified parameter Tmaxiag, all trajectories initiated from B{xq, y) are guaranteed to 
leave Inv{£) before + Tiag, and will not reach A^ before they trigger ei at gi. See Fig. 

It is also proposed in 1121 how to compute the event time lead Tiead such that all trajectories initiated 
from B{xq, y) are guaranteed to stay in £ before t},^^ — Tiead- We use Tmaxiead to denote an upper bound of 
the event time lead for the robust neighborhoods. 

The allowed part of guard gi in Eq. ([T]l is defined according to the robust neighborhood computed 
for the next location reached by the nominal trajectory using similar steps as Eq. Q, letB(4',/) 
denote the robust neighborhood computed for the reset initial state Xq := ri 4)), 

gi :=rf'(B(xo,/))ngi. (4) 

Therefore, the robust neighborhood is computed in a recursive way, from the last location reached to 
the first location reached. 
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Figure 1: Robust neighborhood computation. Figure 2: Guard-critical trajectory. 

In the last location reached (denoted by [), the avoided set is defined in a form different form Eq. Q- 

A‘:=[/‘uGLr (5) 

Event time lag does not need to be considered, since 1 is the last location reached. 

Erom the argument above, B{xq, y) has the following property: 

Proposition 2. For all Xq G B(xq, 7 ), the trajectory p(f,XQ) must trigger the same event sequence as the 
nominal trajectory p(£,Vq) does. The time lead and lag for triggering the same event is bounded by 
'^maxiead ^nd Tmaxlag respectively. In all the locations reached except the last one, p{£,Xq) must stay safe 
before it leaves the location. In the last reached location {, p(£,^) must stay safe for at least ns 

the nominal trajectory p(£,Xq) does. 

2.3 Critical Trajectory 

Suppose in Eig. the nominal trajectory reaches the closure of g 2 , gi \ gi or U^, then clearly Eq. Q 
results in zero. Such a trajectory is called critical. 

Definition 3 (Critical Trajectory). If a nominal trajectory reaches the closure of the avoided set in the 
robust neighborhood computation, then it is called a critical trajectory. 

Directly following from the algorithm in ifT^ . the proposition below holds: 

Proposition 4. The robust neighborhood computed for a nominal trajectory has zero measure if and only 
if the nominal trajectory is a critical trajectory. 

Essentially, a critical trajectory has trivial robustness. There exists some infinitesimal perturbation 
of the trajectory that changes its transition or safety property. In particular, we define guard-critical 
trajectories, whose robust neighborhoods vanish due to guards rather than the unsafe set. 

Definition 5 (Guard-Critical Trajectory). A critical trajectory that does not reach the closure of the 
unsafe set is called a guard-critical trajectory. 

Guard-critical trajectories can cause issues in safety verification problems, where only the safety 
property is of concern. As shown in Eig. the guard-critical trajectory triggers an event through gi, but 
it also reaches the closure of g 2 - By the robust neighborhood algorithm, the initial state {£,Xq) cannot 
be covered by the robust neighborhood of any initial state. Consequently, if an initial set contains such 
(£,Xq), it can never be covered fully by robust neighborhoods. On the other hand, the nominal trajectory 
P(£,Xq) is far from unsafe. So the robust neighborhood approach does not work in a satisfactory way for 
the purpose of safety verification. 
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In this work, an adapted approach called safe neighborhood is proposed to deal with this issue. 
Essentially, for each nominal trajectory, the computed robust neighborhood has both uniform transition 
and safety properties, while the safe neighborhood has only uniform safety property. The latter is thus a 
superset of the former. 


2.4 Safe Neighborhood Computation 

Basic Case In order to illustrate the basic idea of safe neighborhood computation, first consider the 
simple case shown in Fig. For simplicity, it is assumed the nominal trajectory p(£,Xq) does not trigger 
any event; but it gets sufficiently close to the active part of guard gact ■= g(JdInv{£)out within the time 
horizon guard g is associated with the event e = {£,£',g,r). In the location £', there are no 

guards. The unsafe set is assumed to be only in £', i.e., is empty. 



Figure 3: Basic case of safe neighborhood computation. 


Algorithm 1 Basic case of safe neighborhood computation. 


1 : compute = argmin (/»^(i§^(t,VQ),y) > cl() gives the closure of a set. 

2 : if {t*,X q), y*) < dthr then 

3: simulate a trajectory from r{y*) for the time horizon t* <t < 

4: compute / = inf inf (j)^ {t,r{y*)),y) 

yeU^'t€[e4j 


5: define gact := {y e gact\^^' ir{y),r{y*)) > /} 

6 : specify a time interval 5 :=[t* — ZieadA* + '^lag] 

7: compute 7 = min{ inf inf (/)^(^^(f,4),7),inf inf 

teSyegac, 


8 : else 


9: compute 7 = inf inf <l)^(^^(t,Xn),y) 

10 : end if 


11: Safeix^o) := {v|(/)^(v,4) < 7} 


At the point y* and the time instant t* G [tg, , the nominal trajectory and the guard g get sufficiently 

close ((j)^ attains its infimum, and the infimum is smaller than the specified threshold value dthr, which 
corresponds to the first case in the if-else block of Algorithm [^. Since is assumed as empty, the 
bottleneck of robust neighborhood computation is in the guard. We simulate a branch trajectory from y* 
for the rest of the time: t* <t < which triggers e = {£,£',g,r). In the target location £', there are 
no guards. We compute the infimum value 7 ' of generated by the branch trajectory and the unsafe 
set U^'. Because of the monotonicity of (j)^', for all t G [t* and Vg G {x|(/>^'(x,r(y*)) < 7 '}, it^x^) 
cannot reach (see arguments in the robust neighborhood computation). 

We thus define g := {y G g\(p^ {r(y),r{y*)) < /} as the allowed part of g. For the specified time 
window 5 := [t* — Xieadd* + Tiag], consider gact ■ = gact \,g as the avoided set; while for the reset of the 
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time, [tQ,t^„^] \ 5, consider the entire gact as the avoided set. Specifically, we compute 
7 = min{ inf mf (/»^(,§^(t,x^),y),inf inf 


( 6 ) 


Then for all Xq G Safeix^^) := {x\(I)^{x,Xq) < y} and t > t^, because of the monotonicity of 

= Vi4A) < r- 


(V) 


As a result, for all t G [foTf„d] \ ^^{f4) ^ Sact, while for all t G 5, ^^{t^x^) 0 gact- Namely, the 

trajectory p(£,Xq) is allowed to escape from g during S, and then stays in £' safely for at least — t*. 
If no event has been triggered, p{£,Xq) must stay in £ safely as the nominal trajectory p{£,Xq) does. 

General Case For more general cases, the safe neighborhood of a nominal trajectory p{£o,xo) can be 
computed as in Algorithm The time horizon is to < t < tend- For clarity, we denote the trajectory 
segments as {^^‘{t,XQ),tQ <t< where N is the total number of events triggered. 

The essential idea is as presented in the basic case: When the nominal trajectory gets sufficiently 
close to a guard, even if it does not actually trigger the corresponding event, we still simulate a branch 
trajectory according to the event. This is called a virtual event. For the branch trajectory we compute the 
safe neighborhood. Part of guards that maps into the safe neighborhood of the branch trajectory is then 
considered as the allowed part. We exclude it from the avoided set for a short time window, and thus 
removed the bottleneck of the bisimulation function value. Clearly, the algorithm must be performed in 
recursive way. The nominal trajectory can get sufficiently close to multiple guards in one location, and it 
can also get sufficiently close to guards in sequentially reached locations. For each location, not only the 
event triggered by nominal trajectory itself by also all the virtual events need to be considered. We call 
the collection of triggered events and virtual events the event tree associated with the nominal trajectory. 


Properties of Safe Neighborhoods The safe neighborhood computed by Algorithm for a general 
trajectory has the following properties, where Proposition [^directly follows from preceding arguments, 
and Proposition]^ is proved in Appendix. 

Proposition 6. For all xq G Safe{xo), the trajectory p {£ o , xq ) must trigger a path on the event tree that 
is triggered by the nominal trajectory p{£o,xo) and all its branch trajectories. The time lead/lag for 
triggering the same event is bounded by Zmaxlead <^nd %naxlag respectively. In all locations reached except 
the last one, p{£o,xo) must stay safe before it leaves the location. In the last reached location, p{£o,xo) 
must stay safe for at least the same time interval as p (^oAo) (or its branch trajectory). 

Definition 7 (Critical State). For a guard-critical trajectory, if a state is reached by the trajectory on the 
closure of guards but does not trigger any event, then it is called a critical state. 

Definition 8 (Enlarged Reachable Set), Let £q be an initial location and Init C Inv(£o) be a compact 
initial set of continuous states. 

The enlarged reachable set of an initial state, ReacN{xQ), is defined as follows: 

If the trajectory p(£Q,xfjfQ <t < tend ^ not guard-critical, then Reach‘d (xq) only includes the states 
in p(f’o,xo),fo < f ^ tend- Otherwise, ReacN{xQ) should include the original trajectory as well as all 
branch trajectories simulated from the critical states for the time horizon t* <t < tend, where t* denotes 
the time instant when the critical state is reached. 

The enlarged reachable set of an initial set is defined as Reach‘d (Init) := IJ Reach‘d (xq). 

xo^Init 

Proposition 9. The radius of the safe neighborhood computed for xq G Init does not vanish if and only if 
Reach‘d (xo) ricl{Unsafe) = 0. The radii of safe neighborhoods {Saf e{xf)\xQ G Init} are bounded from 
below by a positive number if and only if Reach‘d (Init) r\c\{Unsafe) = 0. 
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Algorithm 2 Safe neighborhood eomputation for a general trajeetory. 


2 : 

3: 

4: 

5: 

6 

7: 


procedure SAFENEIGHBORHOOD(f'o, Xq, to, tend) 

for / ^ A to 1 do 


df^ inf inf 


9 

10 : 

11 

12 : 

13: 


di ^ min{dj ,dthr} 

<— {f G [tQ,tl^^]\ProximalGuards{ii,XQ,t,di) / 0} 

<— ^ 0 , d^^'^ ^ oo i> ^ is the set of time instants when the system state gets 

suffieiently elose to eertain guards. 

while / 0 do 

d-^ ^ inf inf 

if d^'^) < d^ then 

break the while loop 

end if 

k i — k \ 

fW ^ sup{argmin inf ^^‘(i§^‘(f,Xo),y)} 


yeG^ 

state gets elosest to the guards as t varies in 
14: Gc^'^ ^ ProximalGuards{ii,XQ,t^^\di 


t> kis the number of pivots. 
i> At the pivot time instant the system 


15: 

16 


take G [ 0 , T,® G [ 0 , W/ag] sueh that the following eonditions are satisfied 

forallTGrW + 

• GJ C where GJ ^ ProximalGuards{ii,x\^,T,di). 

• Vg G Gl, let {ii,i,g,r) denote the eorresponding event, andy(^) ProximalState{ii,XQd^^\g), 
y'^ ^ ProximalState{£i,XQ,T,g). Then Vg G GJ, it is satisfied that y^ G ;= 

{Saf eNeighborhood{£,r{y^^)),t^^\tend)), and (j)^'{y'^< cc inf where a G 


17: 

18: 


( 0 , 1 ) is a eonstant. 

k—l 

jW ^ 7"W \ y tU) 
7=1 


yesW 


j are disjoint. 


&'■= U gPir \SafeNeighborhood{i,r{y)’‘^),t^’‘\tend)) > Vg G Gc^\ (£,-,.^,g,r) is 


gee: 


(*) 


the event; G^‘ denotes the allowed part of G^‘ . 

19: ^ inf inf {t,X q), y) 


20 : 


S' ^ pr\ 


21: end while 

22: A,- := [tUnd] \ U ^ ^ “f inf {^^‘{t,Y^),y) 

7=1 >^Ay€GA, 

23: Yi ^ min{df,df,d^^\ ... Jt ^ Shrinking{Yi) 

24: end for 

25: 7^ 7i> Safe{xo) := {x|^^‘(xo,x) < 7 } 

26: return Safe{xo) 

27: end procedure 
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Algorithm 3 Subroutine. Obtain guards that are sufficiently close to 
1: procedure ProximalGuards(4 xq, t, d) 

2: Gc^igact^GiJ inf 0^((§^(T,;co),y) < r/} 

y&gact 

3: return Gc > Output Gc as the proximal guards at the time instant T. 

4: end procedure 


Algorithm 4 Subroutine. Obtain the state on the guard g that is closest to i^^(t,xo). 

1: procedure ProximalState(4 xq, t, g) 

2: Fc ^argmin(/»^(,^^(T,xo),y) 

y6cl(g) 

3: y •(— Fc 0 For clarity, we assume Fc is a singleton. For example, when the guards are hyberplanes, 

Yc must be a singleton. If not, the procedure can be extended by choosing a proper y G F^. 

4: return y > Output y as the proximal state at the time instant T. 

5: end procedure 


Algorithm 5 Subroutine. Shrink the radius F by a proper amount for event time lag compensation ifT^ . 
1: procedure Shrinking(f) 

2: simulate for t^^j < t < t^^ + 'Cmaxiag according to the dynamics of location 

3: d“(T') ^ inf inf (/»^'(<^^'(f,x',),y) for 0 < t' < W/ag 

4: ^(^0 := [tdAnd + ^'] \ U T(J) > are the same as in Algorithm 

;=i 

5: df{z')^ inf inf (/»^-((§^'(t,xi)),y) forO < t'< W/flg 

'62:(r').v6Gi 

6: ^ niin{F,<i)'('f'),<if (t')} > Clearly, f( 0) = F, and Yi{z') is non-increasing. 

7: ■(r- sup inf (l)^‘ (t, XQ),y) for 0 < z'< z,„axiag t> Clearly, r/-”'' (0) = 0, and 

df'\z') is non-decreasing. 

^{z' e [0, W/ag]|F(T') < df^'’{z')] 
if is not empty then 
Ziag ^ inf 

else 

'^lag ^ '^maxlag 

end if 

F ^ d^^iziag) > 

Vt' G [0,Ziag], F(t') > d'N’t^z'), which implies F('^/ag) ^ d'^{ziag) = F'. So the avoided set cannot 
be reached before -|-T/ag. Besides, = sup inf (/)^'((§^'(f,Xo),y) = F'. So any 

trajectory initiated from the shrunk neighborhood leaves Inv{£) before t'^^^ -|- Ziag- 
15: return f t> Output f as the radius of the shrunk neighborhood. 

16: end procedure 
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2.5 Implementation 

The robust/safe neighborhood approach is simulation-based, readily parallelizable, and thus suitable for 
numerical implementation. We have developed a MATLAB toolbox STRONG (System Testing with 
RObust Neighborhood Generation) Q that integrates the robust neighborhood and safe neighborhood 
computation functions for hybrid systems with linear dynamics. 

Example In order to illustrate the verification procedure, consider the simple example in Fig. 

The system has three locations. The invariant sets are lnv{J\) = Inv{i 2 ) = Inv{iT,) = {{x\,X 2 ) G 

> 1 A 2 > 1}- Dynamics are D^> : x = A,x, where Ai = ^ ^ >^2 ~ ^ ^ ~ 

^ . Location £3 has guards g\ = {{x\,X2)\x\ > 1 ,X 2 = 1} andg 2 = {( 2 Ci,X 2 )|xi = 1 ,X 2 > 1}, 

resetting the discrete state to £ 1 , £2 respectively without changing the continuous state. There is an unsafe 
set {£ 1 ,^ 2 } X {( 2 C 1 A 2 )| 1-2 < xi < 1.4,0.5 < X 2 < 0.9}. The initial state is (1.25,1.9). 



^'2 

2 


1 


0 



Unsafe 


ai 


1 


2 ^1 


Figure 4: A simulated trajectory of the simple example. Locations are reached sequentially. 

We can simulate a trajectory and compute the robust neighborhood using the command 
>> traj = RobustTest (sys,sim.time,max_lead, max.lag), 

where sys is the system model, sini_time is the time horizon 0 < t < 0.5, niax_lead = max_lag = 0.1 
is the maximum event time leadAag allowed. The nominal trajectory is shown in Fig. for which the 
radius of robust neighborhood computed as an output of the toolbox is 
>> traj .ball.djnin = [0.0042, 0.1613]. 

In the last location reached, 1 = £ 1 , there are no guards. The toolbox computes the minimum distance 
(measured by the bisimulation function ) from the nominal trajectory segment to U nsafe, which is 
0.1613. So the robust neighborhood around the reset initial state has radius 0.1613. 

In the initial location £ 3 , there are no unsafe states. The toolbox computes the minimum distance 
(measured by to undesired part of guards. The nominal trajectory triggers an event (^ 3 ,£i,gi,r) at 
G gi, where r is identity matrix. Thus, gi := {y G (r(y),r(y*)) < 0.1613} should be defined 
as the allowed part of gi. On the other hand, the entire guard g 2 is in the avoided set. Since g 2 is rather 
close to the nominal trajectory, the radius of final robusf neighborhood computed around fhe inifial slate 
dramalically shrinks lo 0.0042. 

The safe neighborhood compulafion funclion is invoked by selling the flag 
>>sys.opt(l) = true, 
and calling the same function RobustTest. 

The toolbox will simulate a branch trajectory from y^^) and compute the safe neighborhood around 
r(y(^^), where r is identity matrix. Based on that, part of gi will be regarded as the allowed part. The 
bottleneck of minimum distance computation is thus removed. It turns out 
>> traj .ball.dunin = [0.0515, 0.1613], 

where 0.0515 is the radius of final safe neighborhood compuled around fhe initial slate. 
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3 Conclusion 

The safe neighborhood approach for hybrid automata verification offers mathematically proved guarantee 
for the safety property of infinitely many initial states by a single trajectory simulation. It inherits the 
advantages of robust neighborhood approach: no need to grid the state space, and easily parallelizable. 
The verification procedure has been implemented for linear hybrid systems by the toolbox STRONG. 
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Appendix A Proof of Proposition 

Proposition 9. The radius of the safe neighborhood computed for xq G Init does not vanish if and only if 
Reach‘d {xq) r\c\{Unsafe) = 0. The radii of safe neighborhoods {Safe{xQ)\xQ G Init} are bounded from 
below by a positive number if and only if Reach‘d (Init) r\c\{Unsafe) = 0. 

Proof To prove the first part of the proposition: 

Consider a trajectory with zero radius of safe neighborhood, i.e., 71 = 0. 

According to the subroutine Shrinking in Algorithm which serves the purpose of event lag com¬ 
pensation, the output 7 i = 0 if and only if the input 71 = 0. In Algorithm]^ If is defined as sef of time 
insfanfs when fhe sysfem sfafe gefs sufficienfly close fo guards. Clearly for any lime inslanf in Ai, Ihe 
system slate is nol sufficienfly close fo guards. Namely, d\ > dthr > 0. 

Suppose fhe firsl Irajecfory segmenf {t^x\fjfQ <t< t]^^ does nol reach c\{Unsafe), fhen d“> 0 . 
Hence, in localion i\, d^^'^ = 0 for some k. There should be some guard g whose closure has zero disfance 
(measured by fhe bisimulalion funclion (j )^^) fo fhe Irajecfory segmenf, even if fhe allowed pari has been 
excluded from fhe guard. Lei {£i,i,g,r) denote fhe corresponding even!. In fhe compulation of d^'^\ 
denoles fhe slate on cl(g) lhal is closel fo Ihe Irajeclory segmenf, denotes Ihe time inslanl when such 
a minimum disfance is attained, and denoles fhe inverse image of fhe safe neighborhood computed 
for fhe resel initial slate, i.e, := r^^{SafeNeighborhood{£,r{y^^'>)^t’^^\tend))- For clarify, we use 
d*,y*,t*,S* fo replace fhe nolalion 

If follows from d* = 0 lhal y* is reached by fhe Irajeclory segmenf. So fhe Irajeclory simulaled from y* 
for t* <t < tend (which could be a branch Irajeclory, or Ihe subsequenl segmenls of fhe original Irajeclory) 
musl belong lo Reach‘^{xo). Moreover, d* = 0 also implies inf (p^Uy,y*) = 0. By our assumption, Ihe 

yeS” 

resel map r is a continuous function. If follows lhal SafeNeighborhood{£,r{y*),t* fend) musl have zero 
radius. 

By preceding argumenls, if Ihe safe neighborhood computed for Ihe firsl segmenf of Ihe Irajeclory 
has zero radius, Ihen eilher Ihe segmenf ilself reaches c\{Unsafe), or il reaches Ihe closure of a guard 
and Ihe safe neighborhood computed around Ihe resel initial slate also has zero radius. By induction, 
if Safe{xo) has zero radius, Ihere should be a segmenl of eilher Ihe original Irajeclory from xq or some 
branch Irajeclory in Reach^{xQ) lhal aclually reaches c\{Unsafe). Therefore, Safe{xo) is non-lrivial as 
long as Reach‘d [xq) n cl(17) = 0. 

Il is slraighlforward lhal Reach‘^{xo) ncl(17) 7 ^ 0 implies Irivial Safe{xo). 

To prove Ihe second pari of Ihe proposition: 

Suppose Ihere exisls C Init such lhal { 7 ;}“^i — 0, where yj denotes Ihe radius of Safe{xj). 

Since Init is compacl, Ihere is a subsequence —)• vq G Init such lhal { 7 ;}—)• 0 (for brevity, we 

use Ihe subscripl j for all subsequences of wilhoul changes). 

ik) 

If Ihe radius of a computed safe neighborhood is less lhan dthr, then il musl come from d" j or d) ^ 
for some kj ralher lhan d\ j (Ihe subscripl j means Ihe value is corresponding lo Ihe initial slate Xj). For 

clarity, we use Ihe nolalion d} ,y*j,tj ,5) lo replace such 

• Suppose as j varies, d} j is bounded from below by a positive number. Since { 7 ;}"^i — 5 - 0, we can 
assume wilhoul loss of generality lhal all 7 y come from d} for some kj instead of d\ j or d\ j. 

Since a location has finitely many guards, while Ihere are infinitely many j, we can Ihus assume 
all y* are on Ihe same guard g. cl(g) is compacl, so Ihere is a subsequence —)• vq such lhal 

Ihe corresponding tends lo Jq G cl(g). 
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Clearly, {d*j}°°^y —> 0 implies {inf —)■ 0, where Ay denotes the dwell time 

j j j j j 

in i\ of the trajeetory initiated from xj. So { inf (C-^y))3'o)}T=i follows from the 

tGAj ■' 

continuity of the trajectory with respect to the initial condition that inf (j)^^ (t,xo),yo) = 0- So 

the first segment of the trajectory initiated from xq reaches yjj G cl(g). The (branch) trajectory 
simulated from must belong to Reach‘d{ xq). Let Y- denote the radius of r{S*j). Following from 
—^0 and the continuity of the reset map r, we have (Ty —)■ 0 and {r(y*)}“^j ^(jo)- 

• Suppose there exists a subsequence of initial states —)■ xq for which tends to 0. By the 

continuity of the trajectory with respect to the initial condition we have inf inf (i§ (t, xq) , y) = 

teA^yeuh 

0. Namely, the first trajectory segment initiated from xq reaches c\{Unsafe). 

By preceding arguments, if —)■ xq, {7/}J=i —S' 0, then either the first segment of the trajectory 

initiated fromxo reaches c\{Unsaf e), or there exist {r(yp}JLj —)■ r(yQ), —)■ 0 such that the trajec¬ 

tory simulated from yg belongs to/?efl;c/i'^(xo). Using induction, it can be proved {xj}“Lj ——?■ 
0 implies there must be some trajectory segment in Reach‘d{ xq) that actually reaches c\{Unsafe). There¬ 
fore, the radii of safe neighborhoods {5'a/e(xo)|xo G Init] are bounded from below by a positive number 
as long as Reach‘d {Init) n c\{Unsafe) = 0. 

The converse direction is straightforward. □ 



